Cybersecurity researchers have disclosed multiple security vulnerabilities in four popular Microsoft Visual Studio Code (VS Code) extensions that, if successfully exploited, could allow threat actors to steal local files and execute code remotely.
The extensions, which have been collectively installed more than 125 million times, are Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview.
“Our research demonstrates that a hacker needs only one malicious extension, or a single vulnerability within one extension, to perform lateral movement and compromise entire organizations,” OX Security researchers Moshe Siman Tov Bustan and Nir Zadok said in a report shared with The Hacker News.
Details of the vulnerabilities are as follows –
CVE-2025-65717 (CVSS score: 9.1) – A vulnerability in Live Server that allows attackers to exfiltrate local files, tricking a developer into visiting a malicious website when the extension is running, causing JavaScript embedded in the page to crawl and extract files from the local development HTTP server that runs at localhost:5500, and transmit them to a domain under their control. (Remains unpatched)
CVE-2025-65716 (CVSS score: 8.8) – A vulnerability in Markdown Preview Enhanced that allows attackers to execute arbitrary JavaScript code by uploading a crafted markdown (.md) file, allowing local port enumeration and exfiltration to a domain under their control. (Remains unpatched)
CVE-2025-65715 (CVSS score: 7.8) – A vulnerability in Code Runner that allows attackers to execute arbitrary code by convincing a user to alter the “settings.json” file through phishing or social engineering. (Remains unpatched)
A vulnerability in Microsoft Live Preview allows attackers to access sensitive files on a developer’s machine by tricking a victim into visiting a malicious website when the extension is running, which then enables specially crafted JavaScript requests targeting the localhost to enumerate and exfiltrate sensitive files. (No CVE, Fixed silently by Microsoft in version 0.4.16 released in September 2025)
To secure the development environment, it’s essential to avoid applying untrusted configurations, disable or uninstall non-essential extensions, harden the local network behind a firewall to restrict inbound and outbound connections, periodically update extensions, and turn off localhost-based services when not in use.
“Poorly written extensions, overly permissive extensions, or malicious ones can execute code, modify files, and allow attackers to take over a machine and exfiltrate information,” OX Security said. “Keeping vulnerable extensions installed on a machine is an immediate threat to an organization’s security posture: it may take only one click, or a downloaded repository, to compromise everything.”
📰 Original Source:TheHackerNews ✍️ Author: info@thehackernews.com (The Hacker News)
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
